With WordPress it is so easy to install any plugin in their directory. Do a search for it and click “Install”. Whenever I am tasked with finding and fixing a hacked site it is almost always an issue with plugins.
One one particular site they had 2 “Hello Dolly” plugins installed. If you have ever used a fresh install WordPress includes 1 called Hello Dolly as an example plugin. You should always remove this plugin. There isn’t a security issue with it, but you should only have used plugins installed. This site had a bunch of unused plugins so there was no quick way to notice that a new one was added. The second Hello Dolly plugin was not active but the script was called from a remote server and was then used to send spam, lots and lots of spam.
Many plugins get updates for security issues along with bug fixes and new features. A year a few of the very popular caching plugins had a critical security update. I still come across sites who haven’t updated them. When your site runs how you want very rarely do you bother to do updates or even login to the dashboard. Even before that there was the timthumb exploit. This script took your images and created thumbnails. While this wasn’t necessarily WordPress specific, it was used it tons of plugins and themes. I assume most of the plugins and themes released updates to fix the issue by either utilizing the built in uploading tools WordPress provides or upgrading to Timthumb 2.0 which fixed those holes.
Open a new window in your web browser and login to your WordPress site. Next go to the Plugins section and delete all the inactive plugins. Just because your plugin is not active does not mean it can’t do any harm. It just means WordPress won’t load any actions or filters it has setup.
Your plugins directory is usually located at /wp-content/plugins. If a hacker find an exploit in one of your installed plugins they already know where the file is. With the timthumb exploit stated above, attackers would send that file a malicious request and it would write it to the server. From there they could access whatever they needed to. Most the time it was to have the server you are on send spam. Your web host won’t like that. Not only would your site be hacked and need to be cleaned, but then the IP address of the server might get blacklisted for sending email and your web host will suffer from that if not caught soon enough.
Sending spam isn’t your problem, I get that. It’s just an example of what I often see. They can also modify your pages and posts. One I came across was inserting a link into every page. Another one added in advertisements to the bottom of every post. While ads might not be a bad thing, it would be nice if you got credit for them and to know they didn’t include anything malicious.
If you install a WordPress firewall plugin that emails you blocked requests you will eventually come across a request trying to exploit a plugin that you don’t have installed. These attackers build a list of WordPress sites and uses an automated process to try and exploit your site. If they find one great (for them), if not they just move on to the next site.
At the end of the day keep your plugins, themes and WordPress itself updated and remove unused plugins.